|UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures
The UK Information Commissioner's Office (ICO) ordered a report to find the extent of English businesses' knowledge on the European Commission's data protection reforms. Among other things, the updates to the privacy laws further encourage (indirectly) the use of data protection software, like AlertBoot's Mobile Security for smartphones and tablets, as well as introducing novel ideas such as the "right to be forgotten."
The survey's results are not very encouraging. For example, it turns out that 82% of businesses did not know how much they spend on data protection. Observed information-age.com,
it is not surprising, then, that 87% could not estimate what the impact of the reforms would be.
Respondents were asked to describe the reforms as they understand them. Four out of ten had an inaccurate understanding of all ten reforms, and not one fully understands every one.
An Easier Way? A Totally Transparent Cost Structure
I don't know about "the inaccurate understanding of all ten reforms," but I can understand why most businesses don't have a good idea on their data protection budget. The answer is that it's not easy figuring out what it actually costs.
Consider just one example of data security: laptop computer encryption and mobile device security for smartphones and tablets. Under the traditional model you have:
- License purchases. Depending on the approach, a company may have to purchase the licenses in pre-arranged blocks, say at least 100 licenses, and 50 additional license blocks after that. If you need 105 licenses, you have to purchase 150. The remaining 45 are sometimes called "shelfware" because that's where they end up; maybe you'll them all, maybe you won't.
Because computers are tracked (e.g., to install updates or new software), you have a good idea of how many machines are on your network. But the cost of the data security is actually greater than that because of shelfware as well as computers than are not plugged to the network. Unless you have meticulous records, chances are your estimates will be lower than reality.
- Bring Your Own Management Server. In other words, you have to provide the infrastructure for managing, deploying, and installing the licenses you just purchased. Of course, you could do it without central management. But if you have more than, say, 50 computers to manage (again, to install updates or new software or whatever), a management server saves time and money. But only if you plunk down money. The problem is that you may add, retire, or repurpose servers as necessary or as opportunity permits.
And, by doing so, you also change the equations for what you're spending in terms of electricity, peripherals (like LAN cables and whatnot), etc. In the end, these add up to a substantial figure. But, with things moving in and out, you're never quite sure what the figure is. For example, a management server for full disk encryption is repurposed as a printer server...did you update your accounting spreadsheets as well?
- Data Center. Many companies make use of data centers to ensure reliability and uptime of core operations. The data security portion probably holds a fraction of the space allocated in a data center. So what are its costs, exactly? You know you're paying saying, $5,000 per month, but how much of that is assigned to the data protection portion? Good luck finding out.
- Employees. Maybe the company has an IT department. And maybe the IT department's personnel are doing double (or triple) duty as coders, troubleshooters, software installers, hardware installers, and who knows what else. How much of their time is spent on data security stuff? Or maybe they've got people dedicated to doing password resets for people who forgot their passwords and are locked out of their computers.
As you can see, trying to figure out how much data security costs is fraught with blind spots.
Of course, it doesn't necessarily have to be this way. AlertBoot's security suite for endpoints – AlertBoot Mobile Security for BYOD and AlertBoot Full Disk Encryption for laptop hard drives – are a model of cost transparency: a flat annual price without any predefined license purchases: you can obtain as many (or as little) licenses as you need.
This is possible because the solution is cloud-based, hosted on AlertBoot's data centers. This means any hardware and software issues are left up to AlertBoot. Furthermore, the company provides support and password recovery services 24/7, ensuring that the IT department is focused on more important matters.
Because all of this is included in AlertBoot's offerings, calculating data security costs are also very easy.
Related Articles and Sites:
|Smartphone Security: Facebook App - Yes, They Can Use Your Smartphone Camera (But They Won't)
Whenever I mention that AlertBoot Mobile Security, an MDM for protecting smartphones, allows one to disable their camera (and keep it that way), some people say something along the lines of "hey, that's great for companies infringing on my darn tootin' rights to do whatever the heck I want with my own smartphone that I'm allowed to use at work, but why would I personally want that?"
I never could answer this question. What is the value of this feature for the smartphone owner? Thankfully, Facebook is making the case for me on this one.
Facebook Spokesperson Essentially Says: "Trust Us"
In what I can only describe as one of the most horrific (but also naively refreshing?) statements I have read in a while, businessinsider.com had this to report (my emphasis):
While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.I realize that I haven't even covered the details of the story, but doesn't the above kind of make the hairs on your neck stand up, and tells you all that you need to know, regardless of the story?
I know it does to me.
It's Google's Fault
Eli Langer over at storify.com has a story on how people are "complaining about Android applications" for Facebook and Google Search. Namely, that these apps can use a smartphone's "microphones and camera at any point without any confirmation."
I wouldn't have believed it if it weren't for a screenshot that shows the legal language. You can find it by visiting the story, but it reads:
Record Audio: Allows the app to record audio with the microphone. This permission allows the app to record audio at any time without your confirmation.Now, a screenshot in the age of Photoshop means nothing. But, consider this: (1) multiple people are tweeting about it, (2) neither Mr. Langer nor businessinsider.com are not known for pulling April Fool's day pranks in mid-May (as far as I know, that is), and (3) there is the admission by a Facebook spokesperson, which we already saw above. In fact, the full quote in the businessinsider.com article is the following:
Take Pictures and Videos: Allows the app to take pictures with the camera. This permission allows the app to use the camera at any time without your confirmation.
A spokesperson for Facebook explains this [the legal language above] as follows: the language in this disclaimer comes from Google and wasn't written up by Facebook, it's simply how Android handles camera access. While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.I'm on the fence whether the full passage makes the spokesperson's statement more or less creepy. One the one hand, the "openness" and "transparency" are appreciated (even if most people wouldn't read the legalese). On the other hand, a living, breathing person telling me that I should ignore the implications.... well, let's just say that I'm pulling out of storage my X-Files t-shirt just for this occasion.
AlertBoot is one of the many companies that have a BYOD solution. It's an MDM (mobile device management) service that allows one to control and manage smartphones and tablets from the cloud, and it includes features like remote data wipe, password policies, and Wi-Fi provisioning (and more, of course).
It also includes the ability to disable cameras on mobile devices. Many companies do not allow cameras in the workplace for myriad reasons, and this is how it works in AlertBoot:
The policy is updated for devices, and that's that. This works as long as the device is not jailbroken (of which the administrator will be notified).
- A policy is created in the online management console. For simplicity's sake, it'll be for disabling the camera.
- Apply it.
If a regular/official/authorized version of the device's OS is in place, the Facebook app will not be able to access the camera, period (in the event of a conflict between the app settings, "use camera," and the AlertBoot MDM settings "camera disabled," the latter comes out on top, as should be the case).
Of course, the "real" solution is for Google and/or Facebook to change their policies and not allow this to happen. I mean, the app can technically access your mic and camera but "it won't happen?" Why build it, then? And why ask for permission to use it without your being aware of it?
Related Articles and Sites:
|BYOD Security: Complying With Australian Privacy Principle 11
Last week (28 April to 4 May 2013) was "Privacy Awareness Week" in the Asia Pacific region. Australia is one of the entities that participates in PAW (the others are, in alphabetical order, Canada, Hong Kong, Korea, Macau, Mexico, New Zealand, and the USA).
As part of the awareness campaign, the Office of the Australian Information Commissioner (OAIC) released their "Guide to Information Security: 'reasonable steps' to protect personal information." There is much information, and an entire subsection is dedicated to the use of encryption. That doesn't come as a surprise, seeing how cryptography is a key aspect of effective IT security; it could very well end up being the only information security measure that is (indirectly) listed as a requirement in complying with the Australian Privacy Principles.
BYOD and Australian Privacy Principle 11
According to the Parliament of Australia:
Australian Privacy Principle 11 (APP 11) protects personal information by imposing specific obligations on both agencies and organisations which hold that information. The principle also provides that entities take reasonable steps to destroy or de-identify the personal information once it is no longer needed... these obligations are in line with international best practice on privacy protection.
What are these "specific obligations" that are "in line with international best practice on privacy protection"? The answer to this question is quite complex, but when it comes to BYOD, mobile devices like smartphones and tablets, and laptop computers and their storage accessories, using encryption software to protect the data is probably up there on the do-list.
Consider the following:
- Best practices vary from country to country, but most include a provision for data encryption, and provide safe harbor from legal and other penalties if used.
- Encryption is used extensively for destroying or de-identifying information. For example, remote wiping of smartphones is based on deleting the encryption key (Note: Best practices still require physical destruction of information – including shredding, grinding, melting, etc., but only when it is possible to do so. If a device is lost or missing, encryption is the last, and best, resort).
- Encryption is at the heart of all e-commerce, including on-line banking and credit card processing.
- Where such data is made available – such as the USA's HIPAA (Health Insurance Portability and Accountability) "Wall of Shame" – the loss of devices accounts for more than 50% of data breaches (in the case of HIPAA, those affecting 500 or more people).
Encryption is a time-tested, bona fide solution for the many risks that accompany the use of devices that store sensitive data. Australian law, however, will probably follow in the footsteps of established legislation around the globe and not make its use a requirement.
Instead, indirect incentives for its use, such as the extension of safe harbor for encrypted data, which was already mentioned before, or monetary fines and penalties for data breaches where encryption is not used, are much more likely (and the accepted model in other countries).
Indeed, it was revealed only one week ago that financial penalties will be assess under the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013:
Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations - a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.
Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.
Making It Easy to Install, Deploy, and Manage BYOD Encryption
Of course, there will be other ways to comply with APP 11, depending on the circumstances. However, it wouldn't be a reach to say that none of these other solutions offer the dynamism, robustness, facility, or peace of mind that encryption offers.
Just because encryption is a proven technology and easy to use, however, it doesn't mean that it's easy to set up or maintain. An individual user must, among other things:
- Ensure that the machine is ready for successful installation,
- Ensure that the encryption key or keys are backed up (just in case. Otherwise, it will prove impossible to recover the protected data if something were to go awry, like a disk becoming corrupted),
- Ensure that there is a way to regain access to the information if one forgets one's password,
Try doing the above for more than one computer, and soon you're running into logistical problems. Indeed, effective encryption key management is seen as the top challenge for organizations that use encryption to secure their data.
The use of an encryption management server, if one's available for the particular cryptographic software you're using, resolves these issues but introduces another problem. Namely, that you've got to maintain the server, which requires its own resources: employee time; additional costs for said time, underlying software, hardware, server space, etc.; and concerns about scalability and reliability. (On a personal note, I've seen encryption management servers slow down once they start reaching around 2,000 users, a stark contrast to its zippy past when there were only a couple of hundred endpoints listed.)
Avoiding such problems is what makes AlertBoot Mobile Security such an effective service. The cloud-based solution makes keeping track of encryption keys very simple, and installation can be started in minutes, not days (or weeks, or months!) from anywhere with an internet connection. And, the 24/7 password recovery (via phone or web-based self-service) ensures that users will have a verified method for regaining access to their machines.
Of course, encryption is not the be-all, end-all: seeing how APP 11 is the eleventh privacy principle, logic dictates that there must be at least ten more of these (there are thirteen in all), and their compliance bring their own unique challenges.
However, encryption is bound to be one of the core solutions for compliance, and AlertBoot is one of the easiest and cost-effective methods to do so. If you'd like more information, you can start by visiting us here or here, if you're looking to become a partner.
Related Articles and Sites:
|Encryption And Security: WWII Encryption Cracked, Shows Strength Of Crypto Algorithms
World War II and encryption is back in the news. According to the Daily Mail, mathematicians, historians, and geography experts at Plymouth University combined their efforts to crack the messages that were hidden in personal letters, letters sent home by a UK prisoner-of-war held in Germany. While the algorithm that was cracked is not as dependable as modern mobile encryption and security, it shows us why cryptography is a powerful information security tool.
As I alluded, this is not the first time that old-time cryptography is making waves in modern times. The world was treated to a bizarre surprise when cleaning out a chimney resulted in the discovery of a 70-year mystery. The big difference in this case is that we know that happened, unlike the dead-pigeon saga.
Smalltalk about a Garden Turns into Coded Casualty Report
The folks over at dailymail.co.uk put it best when they noted:
Many seeds are left, being saved from several plants which did very well some time ago.The encryption (and decryption) algorithm is quite a pretty convoluted process. Among other things, there were:
'Our last year's harvest was extremely good. Well worth repeating again for this year.'
But it meant: 'HMS Undine attack failure. Trawler depth-charged, scuttled in 70 feet, three burnt.'
- Predetermined indicators that a letter contained a coded message: (1) writing the letter's date in "Continental format" (day/month/year) as opposed to the typical English method (month/day/year), and (2) underlining one's own signature at the end of the letter.
- Using the first two words of the first line (after the greetings) to indicate what kind of grid/matrix to use.
- Counting only the fourth or fifth letters to create the message.
- Using certain keywords as signifiers for the end of a message, the start of a message, and secret requests for items that could be used during an escape.
When you consider how simple the code is, relatively speaking, it's amazing how much information the POWs were able to pack in their letters. I'm especially impressed by the use of the matrix at the beginning, since it would make it harder to crack the code.
Mobile Devices and BYOD: Modern Encryption Much More Secure
Of course, modern encryption – for example, those used to protect smartphones and tablets like iPhones and Android phones – is much more secure than what was used in WWII. But, the principles remain the same.
Well, to a degree. With modern encryption such as AES-256, which is used by AlertBoot to protect hard drives on laptop computers, most estimates show that all the processing power in the world would still take a few centuries before a significant dent can be made in forcefully cracking data.
This is why if your workplace has a "bring your own device" policy, you're probably required to use encryption on your smartphone, tablet, or PC/laptop: even if you lose your device, the chances of the data falling into the wrong hands are infinitesimally small.
Related Articles and Sites:
|Android Security: Pattern Lock Is Stronger Than You Think
How secure is the pattern lock found on Google Android devices? Apparently, quite a bit. Of course, it can be made very easy to crack. For example, if the so-called pattern is a straight line, that's not much security, is it? That's the equivalent of using "password" as a password, and defeats BYOD smartphone security, even if something like AlertBoot's Mobile Security is used to enhance their protection.
But, if you're not into hamstringing yourself, it turns out that the pattern lock can be very secure. So secure, in fact, that the FBI had to issue a warrant to Google to get the device unlocked.
Or so the headlines would lead you to believe....
FBI Wants Access to Pimp's Phone
"FBI, stumped by pimp's Android pattern lock, serves warrant on Google" is the headline at arstechnica.com (14 March 2013). A similar observation is made by wired.com.
The story: a pimp with a criminal history is found to be using an Android phone to coordinate his business activities in the sex trade. The FBI gets a warrant to search his house and belongings, which includes the phone. Pimp won't cooperate. So, the FBI sends the phone to its technicians, who eventually end up triggering a device lock-out after too many erroneous attempts. Once that happens, the FBI applies for a second warrant so that Google will unlock the phone.
So, what happened? As the arstechnica.com article notes, studies have shown that smudges on the phones can defeat the pattern lock. It's a guessing game, and under "ideal conditions" researchers were able to gain access to a phone 90% of the time.
But then, those are under ideal conditions. Make the pattern long enough and complex enough, and the odds of successfully breaking into a smartphone plummet. Especially if you attempt it more than 20 times. After the twentieth entry, the phone will lock you out, as noted earlier, and the only way to regain access is to provide the Google email address and password.
Mobile Security: MDM Controls Maximum Number of Failed Attempts
One of the features in AlertBoot Mobile Security is setting a policy for the number of failed passcode attempts before data on a device is wiped. This is a powerful way of ensuring data security for two reasons:
- Chances are that, if the passcode is entered incorrectly too many times, it's not the device owner who's trying to gain access. (Of course, you need to find a balance. One wrong attempt is too little, but more than 15 wrong attempts is too much, never mind 20!)
- Remote wiping sometimes doesn't work because the device is not connected to a network. Why not establish a self-destruction mechanism independent of internet or cellular network connectivity?
The real star of the FBI story is not really the pattern lock – which can work wonders, obviously – but the fact that you (or, rather, someone other than you) will get locked out after too many incorrect attempts.
If there was no limit, who's to say what would have happened?
Related Articles and Sites:
|BYOD Australia: Data Breach Notification Laws Coming Sooner Than You Think (Updated)
It looks like Australia may finally join the rest of the world and push forward a data breach notification law. According to itnews.com.au, Attorney-General Mark Dreyfus is helming the introduction of a law mandating notifications when Australians' personal information end up exposed. This time, it looks real (I blogged in 2009 that such laws were coming real soon. I guess I'm not quitting my day job for fortunetelling).
Update (02 MAY 2013): Well, well...perhaps I shouldn't give up so fast on the fortunetelling. According to SC Magazine, drafts of the data breach notification law have been leaked (at least, "leaked" seems like the correct word, since they were stamped "confidential.")
Among other things, this means more Australian companies will have to start considering the use of data security software and services, such as AlertBoot's mobile device management security suite, or face the consequences when a data breach takes place.
Growing Number of Breaches Shows Need for Mandatory Notification
The road for mandatory reporting of data breaches is a long one. In 2008, the Australian Law Reform Commission (ALRC) published a report on privacy. This three-volume report also included recommendations on data breach notifications for Australia. When you take into consideration that the report is the culmination of a 28-month effort, you can see that the issue of data breach notifications could have been discussed as early as 2006. (The very first such law, California SB 1386, went into effect in 2002).
In 2009, it was rumored that Australia would be passing a mandatory data breach notification law "real soon". Four years later, we're still hearing the same story.
It's Different this Time...?
But, this time, it's different. In October of 2012, feedback was sought on a mandatory Australian data breach law. And, the Attorney-General commented that,
...the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme. Between 2011 and 2012, there was an 11% increase in privacy complaints. Plus, many surveys are showing that Australians support the idea of mandatory data breach notifications. The Privacy Commissioner has called for such a law as well.
"If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme," he said.
Guide to Information Security Published
Another indication that Australians will see such a law sooner than later? The Office of the Australian Information Commissioner (OAIC) has released the final draft of the "Guide to Information Security: 'Reasonable Steps' to Protect Personal Information".
While the guideline is not binding, the Commissioner has noted that "its recommendations provides [sic] the best insurance against data breaches" and that "[the OAIC] intend to refer to it when assessing compliance with the data security obligations under the Privacy Act."
It looks like a number of different parameters are beginning to converge, and the writing is on the wall. If your company is based in Australia, this may be a good time to check out AlertBoot's data security offerings: mobile security for BYOD (tablet and smartphone protection) and full disk encryption for laptops.
Related Articles and Sites: